Skip to content

Instantly share code, notes, and snippets.

@jessfraz
Last active September 15, 2017 02:59
Show Gist options
  • Save jessfraz/ee00132c79f5f70ea6cd58610c6a8bc8 to your computer and use it in GitHub Desktop.
Save jessfraz/ee00132c79f5f70ea6cd58610c6a8bc8 to your computer and use it in GitHub Desktop.

Self isolating binaries

This is a play proposal for a new wrapper around go build that would build your binary but wrap it in code that would prepare isolation around your binary on run.

A concept of this is in https://github.com/jfrazelle/binctr, in that it takes a docker image and embeds the contents into a final binary so you have a self-contained binary.

The binctr example is unnessesarily heavy for go binaries because all you need is a completely static binary.

Also by doing this in the build step we can do some heavy lifting for you and create more secure isolation.

As an example of this, we could parse your code and find all the syscall's that would be called if everyline of your code is executed. Then on run we can provide a seccomp whitelist based off that data and apply it to the binary process.

App developers know their code the best so the isolation settings should be up to them and can be provided by a config file on build. Which namespaces the isolation should use and resource constraints could all be customizable.

Containers are cool, but it's all just code at the end of the day, go binaries could very easily sandbox themselves without the need for a daemon or seperate binary to do the work.

@kevinburke
Copy link

thats what cgroups are for, resource isolation :)

O shit I've never used those before. Will have to read more!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment